Hi Dan, I have too small skill for adjust a decoder.. you can make this for me? I don't known where starting for make it...
Thanks for your time.. Il giorno mercoledì 31 ottobre 2018 13:56:37 UTC+1, dan (ddpbsd) ha scritto: > > On Wed, Oct 31, 2018 at 7:46 AM Giorgio Biondi <[email protected] > <javascript:>> wrote: > > > > Hi at all, > > > > I have some entry in log on the my mailserver (with installed ossec > agent) like this: > > > > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > failed, 1 attempts): user=<[email protected] <javascript:>>, > method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 > > > > and my ossec server in the alert.log say: > > > > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > failed, 1 attempts): user=<[email protected] <javascript:>>, > method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 > > > > ** Alert 1540983795.5645464: mail - > dovecot,invalid_login,authentication_failed, > > 2018 Oct 31 12:03:15 (mailscanner04.tech2.it) > 10.12.14.36->/var/log/messages > > Rule: 9705 (level 7) -> 'Dovecot Invalid User Login Attempt.' > > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > failed, 1 attempts): user=<[email protected] <javascript:>>, > method=PLAIN, rip=222.252.6.70, lip=10.12.14.36 > > > > The problem is: rules 9705 in the dovecot rules have level 7 and in my > ossec.conf all rules over level 6 trigger a active response.. but not for > 'dovecot'.. I don't understand why.. > > All AR working fine for ALL other rule.. http and smtp.. only for > dovecot don't trigger a active response.. > > > > Any suggest are appreciate. > > > > Giorgio Biondi > > > > The log message you provided does not decode the IP address. > root@buildtest:/home/ddp/src/ossec-hids# /var/ossec/bin/ossec-logtest > 2018/10/31 12:48:38 ossec-testrule: INFO: Reading local decoder file. > 2018/10/31 12:48:38 ossec-testrule: INFO: Started (pid: 17409). > ossec-testrule: Type one log per line. > > Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: Disconnected (auth > failed, 1 attempts): user=<[email protected] <javascript:>>, > method=PLAIN, > rip=222.252.6.70, lip=10.12.14.36 > > > **Phase 1: Completed pre-decoding. > full event: 'Oct 31 12:03:15 mailscanner04 dovecot: pop3-login: > Disconnected (auth failed, 1 attempts): > user=<[email protected] <javascript:>>, method=PLAIN, > rip=222.252.6.70, > lip=10.12.14.36' > hostname: 'mailscanner04' > program_name: 'dovecot' > log: 'pop3-login: Disconnected (auth failed, 1 attempts): > user=<[email protected] <javascript:>>, method=PLAIN, > rip=222.252.6.70, > lip=10.12.14.36' > > **Phase 2: Completed decoding. > decoder: 'dovecot' > > **Phase 3: Completed filtering (rules). > Rule id: '9705' > Level: '5' > Description: 'Dovecot Invalid User Login Attempt.' > **Alert to be generated. > > The decoders will have to be adjusted for that the IP to get pulled > out and be useful for active response. > You might be able to adjust the <decoder name="dovecot-authfailed"> > decoder to fit. > > > > > > > -- > > > > --- > > You received this message because you are subscribed to the Google > Groups "ossec-list" group. > > To unsubscribe from this group and stop receiving emails from it, send > an email to [email protected] <javascript:>. > > For more options, visit https://groups.google.com/d/optout. > -- --- You received this message because you are subscribed to the Google Groups "ossec-list" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
